2018-09-04 - QUICK POST: HANCITOR MALSPAM USES PDF ATTACHMENT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-09-04-Hancitor-malspam-example.eml.zip   125 kB (125,192 bytes)
• 2018-09-04-Hancitor-infection-traffic.pcap.zip   2.4 MB (2,378,919 bytes)
• 2018-09-04-malware-from-Hancitor-malspam-infection.zip   434 kB (434,078 bytes)

NOTES:

• Hancitor malspam was using PDF attachments today, instead of links in the message text to download the malicious Word doc.
• Instead, the PDF attachments had a link to the Word doc.
• Time to update the flow chart....

Shown above:  Chain of events for today's Hancitor malspam infection.

 

IMAGES

Shown above:  Screenshot of an email from today's wave of Hancitor malspam.

 

Shown above:  PDF attachment from the malspam.

 

Shown above:  After downloading the Word doc, enable macros to infect a vulnerable Windows host.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.